Malware Devil

Monday, June 21, 2021

ESB-2021.2194 – [SUSE] webkit2gtk3: Multiple vulnerabilities

—–BEGIN PGP SIGNED MESSAGE—–
Hash: SHA256

===========================================================================
AUSCERT External Security Bulletin Redistribution

ESB-2021.2194
Security update for webkit2gtk3
21 June 2021

===========================================================================

AusCERT Security Bulletin Summary
———————————

Product: webkit2gtk3
Publisher: SUSE
Operating System: SUSE
Impact/Access: Execute Arbitrary Code/Commands — Remote/Unauthenticated
Access Confidential Data — Console/Physical
Access Confidential Data — Remote with User Interaction
Resolution: Patch/Upgrade
CVE Names: CVE-2021-1871 CVE-2021-1870 CVE-2021-1844
CVE-2021-1801 CVE-2021-1799 CVE-2021-1789
CVE-2021-1788 CVE-2021-1765 CVE-2020-29623
CVE-2020-27918 CVE-2020-13584 CVE-2020-13558
CVE-2020-13543 CVE-2020-9983 CVE-2020-9951
CVE-2020-9948 CVE-2020-9947

Reference: ESB-2021.2160
ESB-2021.1866
ESB-2021.1846
ESB-2021.1582
ESB-2021.1566

Original Bulletin:
https://www.suse.com/support/update/announcement/2021/suse-su-20211990-1

– ————————–BEGIN INCLUDED TEXT——————–

SUSE Security Update: Security update for webkit2gtk3

______________________________________________________________________________

Announcement ID: SUSE-SU-2021:1990-1
Rating: important
References: #1177087 #1179122 #1179451 #1182286 #1184155 #1184262
Cross-References: CVE-2020-13543 CVE-2020-13558 CVE-2020-13584 CVE-2020-27918
CVE-2020-29623 CVE-2020-9947 CVE-2020-9948 CVE-2020-9951
CVE-2020-9983 CVE-2021-1765 CVE-2021-1788 CVE-2021-1789
CVE-2021-1799 CVE-2021-1801 CVE-2021-1844 CVE-2021-1870
CVE-2021-1871
Affected Products:
SUSE OpenStack Cloud Crowbar 9
SUSE OpenStack Cloud Crowbar 8
SUSE OpenStack Cloud 9
SUSE OpenStack Cloud 8
SUSE Linux Enterprise Software Development Kit 12-SP5
SUSE Linux Enterprise Server for SAP 12-SP4
SUSE Linux Enterprise Server for SAP 12-SP3
SUSE Linux Enterprise Server 12-SP5
SUSE Linux Enterprise Server 12-SP4-LTSS
SUSE Linux Enterprise Server 12-SP3-LTSS
SUSE Linux Enterprise Server 12-SP3-BCL
SUSE Linux Enterprise Server 12-SP2-BCL
HPE Helion Openstack 8
______________________________________________________________________________

An update that fixes 17 vulnerabilities is now available.

Description:

This update for webkit2gtk3 fixes the following issues:

o Update to version 2.32.1: + Improve handling of Media Capture devices. +
Improve WebAudio playback. + Improve video orientation handling. + Improve
seeking support for MSE playback. + Improve flush support in EME
decryptors. + Fix HTTP status codes for requests done through a custom URI
handler. + Fix the Bubblewrap sandbox in certain 32-bit systems. + Fix
inconsistencies between the WebKitWebView.is-muted property state and
values returned by webkit_web_view_is_playing_audio(). + Fix the build with
ENABLE_VIDEO=OFF. + Fix wrong timestamps for long-lived cookies. + Fix UI
process crash when failing to load favicons. + Fix several crashes and
rendering issues.
o Including Security fixes for: CVE-2021-1788, CVE-2021-1844, CVE-2021-1871,
CVE-2020-27918, CVE-2020-29623, CVE-2021-1765, CVE-2021-1789,
CVE-2021-1799, CVE-2021-1801, CVE-2021-1870, CVE-2020-13558,
CVE-2020-13584, CVE-2020-9983, CVE-2020-13543, CVE-2020-9947,
CVE-2020-9948, CVE-2020-9951.

Patch Instructions:

To install this SUSE Security Update use the SUSE recommended installation
methods like YaST online_update or “zypper patch”.
Alternatively you can run the command listed for your product:

o SUSE OpenStack Cloud Crowbar 9:
zypper in -t patch SUSE-OpenStack-Cloud-Crowbar-9-2021-1990=1
o SUSE OpenStack Cloud Crowbar 8:
zypper in -t patch SUSE-OpenStack-Cloud-Crowbar-8-2021-1990=1
o SUSE OpenStack Cloud 9:
zypper in -t patch SUSE-OpenStack-Cloud-9-2021-1990=1
o SUSE OpenStack Cloud 8:
zypper in -t patch SUSE-OpenStack-Cloud-8-2021-1990=1
o SUSE Linux Enterprise Software Development Kit 12-SP5:
zypper in -t patch SUSE-SLE-SDK-12-SP5-2021-1990=1
o SUSE Linux Enterprise Server for SAP 12-SP4:
zypper in -t patch SUSE-SLE-SAP-12-SP4-2021-1990=1
o SUSE Linux Enterprise Server for SAP 12-SP3:
zypper in -t patch SUSE-SLE-SAP-12-SP3-2021-1990=1
o SUSE Linux Enterprise Server 12-SP5:
zypper in -t patch SUSE-SLE-SERVER-12-SP5-2021-1990=1
o SUSE Linux Enterprise Server 12-SP4-LTSS:
zypper in -t patch SUSE-SLE-SERVER-12-SP4-LTSS-2021-1990=1
o SUSE Linux Enterprise Server 12-SP3-LTSS:
zypper in -t patch SUSE-SLE-SERVER-12-SP3-2021-1990=1
o SUSE Linux Enterprise Server 12-SP3-BCL:
zypper in -t patch SUSE-SLE-SERVER-12-SP3-BCL-2021-1990=1
o SUSE Linux Enterprise Server 12-SP2-BCL:
zypper in -t patch SUSE-SLE-SERVER-12-SP2-BCL-2021-1990=1
o HPE Helion Openstack 8:
zypper in -t patch HPE-Helion-OpenStack-8-2021-1990=1

Package List:

o SUSE OpenStack Cloud Crowbar 9 (x86_64):
libjavascriptcoregtk-4_0-18-2.32.1-2.63.3
libjavascriptcoregtk-4_0-18-debuginfo-2.32.1-2.63.3
libwebkit2gtk-4_0-37-2.32.1-2.63.3
libwebkit2gtk-4_0-37-debuginfo-2.32.1-2.63.3
typelib-1_0-JavaScriptCore-4_0-2.32.1-2.63.3
typelib-1_0-WebKit2-4_0-2.32.1-2.63.3
typelib-1_0-WebKit2WebExtension-4_0-2.32.1-2.63.3
webkit2gtk-4_0-injected-bundles-2.32.1-2.63.3
webkit2gtk-4_0-injected-bundles-debuginfo-2.32.1-2.63.3
webkit2gtk3-debugsource-2.32.1-2.63.3
o SUSE OpenStack Cloud Crowbar 9 (noarch):
libwebkit2gtk3-lang-2.32.1-2.63.3
o SUSE OpenStack Cloud Crowbar 8 (noarch):
libwebkit2gtk3-lang-2.32.1-2.63.3
o SUSE OpenStack Cloud Crowbar 8 (x86_64):
libjavascriptcoregtk-4_0-18-2.32.1-2.63.3
libjavascriptcoregtk-4_0-18-debuginfo-2.32.1-2.63.3
libwebkit2gtk-4_0-37-2.32.1-2.63.3
libwebkit2gtk-4_0-37-debuginfo-2.32.1-2.63.3
typelib-1_0-JavaScriptCore-4_0-2.32.1-2.63.3
typelib-1_0-WebKit2-4_0-2.32.1-2.63.3
typelib-1_0-WebKit2WebExtension-4_0-2.32.1-2.63.3
webkit2gtk-4_0-injected-bundles-2.32.1-2.63.3
webkit2gtk-4_0-injected-bundles-debuginfo-2.32.1-2.63.3
webkit2gtk3-debugsource-2.32.1-2.63.3
o SUSE OpenStack Cloud 9 (x86_64):
libjavascriptcoregtk-4_0-18-2.32.1-2.63.3
libjavascriptcoregtk-4_0-18-debuginfo-2.32.1-2.63.3
libwebkit2gtk-4_0-37-2.32.1-2.63.3
libwebkit2gtk-4_0-37-debuginfo-2.32.1-2.63.3
typelib-1_0-JavaScriptCore-4_0-2.32.1-2.63.3
typelib-1_0-WebKit2-4_0-2.32.1-2.63.3
typelib-1_0-WebKit2WebExtension-4_0-2.32.1-2.63.3
webkit2gtk-4_0-injected-bundles-2.32.1-2.63.3
webkit2gtk-4_0-injected-bundles-debuginfo-2.32.1-2.63.3
webkit2gtk3-debugsource-2.32.1-2.63.3
o SUSE OpenStack Cloud 9 (noarch):
libwebkit2gtk3-lang-2.32.1-2.63.3
o SUSE OpenStack Cloud 8 (noarch):
libwebkit2gtk3-lang-2.32.1-2.63.3
o SUSE OpenStack Cloud 8 (x86_64):
libjavascriptcoregtk-4_0-18-2.32.1-2.63.3
libjavascriptcoregtk-4_0-18-debuginfo-2.32.1-2.63.3
libwebkit2gtk-4_0-37-2.32.1-2.63.3
libwebkit2gtk-4_0-37-debuginfo-2.32.1-2.63.3
typelib-1_0-JavaScriptCore-4_0-2.32.1-2.63.3
typelib-1_0-WebKit2-4_0-2.32.1-2.63.3
typelib-1_0-WebKit2WebExtension-4_0-2.32.1-2.63.3
webkit2gtk-4_0-injected-bundles-2.32.1-2.63.3
webkit2gtk-4_0-injected-bundles-debuginfo-2.32.1-2.63.3
webkit2gtk3-debugsource-2.32.1-2.63.3
o SUSE Linux Enterprise Software Development Kit 12-SP5 (aarch64 ppc64le
s390x x86_64):
typelib-1_0-WebKit2WebExtension-4_0-2.32.1-2.63.3
webkit2gtk3-debugsource-2.32.1-2.63.3
webkit2gtk3-devel-2.32.1-2.63.3
o SUSE Linux Enterprise Server for SAP 12-SP4 (ppc64le x86_64):
libjavascriptcoregtk-4_0-18-2.32.1-2.63.3
libjavascriptcoregtk-4_0-18-debuginfo-2.32.1-2.63.3
libwebkit2gtk-4_0-37-2.32.1-2.63.3
libwebkit2gtk-4_0-37-debuginfo-2.32.1-2.63.3
typelib-1_0-JavaScriptCore-4_0-2.32.1-2.63.3
typelib-1_0-WebKit2-4_0-2.32.1-2.63.3
typelib-1_0-WebKit2WebExtension-4_0-2.32.1-2.63.3
webkit2gtk-4_0-injected-bundles-2.32.1-2.63.3
webkit2gtk-4_0-injected-bundles-debuginfo-2.32.1-2.63.3
webkit2gtk3-debugsource-2.32.1-2.63.3
o SUSE Linux Enterprise Server for SAP 12-SP4 (noarch):
libwebkit2gtk3-lang-2.32.1-2.63.3
o SUSE Linux Enterprise Server for SAP 12-SP3 (ppc64le x86_64):
libjavascriptcoregtk-4_0-18-2.32.1-2.63.3
libjavascriptcoregtk-4_0-18-debuginfo-2.32.1-2.63.3
libwebkit2gtk-4_0-37-2.32.1-2.63.3
libwebkit2gtk-4_0-37-debuginfo-2.32.1-2.63.3
typelib-1_0-JavaScriptCore-4_0-2.32.1-2.63.3
typelib-1_0-WebKit2-4_0-2.32.1-2.63.3
typelib-1_0-WebKit2WebExtension-4_0-2.32.1-2.63.3
webkit2gtk-4_0-injected-bundles-2.32.1-2.63.3
webkit2gtk-4_0-injected-bundles-debuginfo-2.32.1-2.63.3
webkit2gtk3-debugsource-2.32.1-2.63.3
o SUSE Linux Enterprise Server for SAP 12-SP3 (noarch):
libwebkit2gtk3-lang-2.32.1-2.63.3
o SUSE Linux Enterprise Server 12-SP5 (aarch64 ppc64le s390x x86_64):
libjavascriptcoregtk-4_0-18-2.32.1-2.63.3
libjavascriptcoregtk-4_0-18-debuginfo-2.32.1-2.63.3
libwebkit2gtk-4_0-37-2.32.1-2.63.3
libwebkit2gtk-4_0-37-debuginfo-2.32.1-2.63.3
typelib-1_0-JavaScriptCore-4_0-2.32.1-2.63.3
typelib-1_0-WebKit2-4_0-2.32.1-2.63.3
typelib-1_0-WebKit2WebExtension-4_0-2.32.1-2.63.3
webkit2gtk-4_0-injected-bundles-2.32.1-2.63.3
webkit2gtk-4_0-injected-bundles-debuginfo-2.32.1-2.63.3
webkit2gtk3-debugsource-2.32.1-2.63.3
o SUSE Linux Enterprise Server 12-SP5 (noarch):
libwebkit2gtk3-lang-2.32.1-2.63.3
o SUSE Linux Enterprise Server 12-SP4-LTSS (aarch64 ppc64le s390x x86_64):
libjavascriptcoregtk-4_0-18-2.32.1-2.63.3
libjavascriptcoregtk-4_0-18-debuginfo-2.32.1-2.63.3
libwebkit2gtk-4_0-37-2.32.1-2.63.3
libwebkit2gtk-4_0-37-debuginfo-2.32.1-2.63.3
typelib-1_0-JavaScriptCore-4_0-2.32.1-2.63.3
typelib-1_0-WebKit2-4_0-2.32.1-2.63.3
typelib-1_0-WebKit2WebExtension-4_0-2.32.1-2.63.3
webkit2gtk-4_0-injected-bundles-2.32.1-2.63.3
webkit2gtk-4_0-injected-bundles-debuginfo-2.32.1-2.63.3
webkit2gtk3-debugsource-2.32.1-2.63.3
o SUSE Linux Enterprise Server 12-SP4-LTSS (noarch):
libwebkit2gtk3-lang-2.32.1-2.63.3
o SUSE Linux Enterprise Server 12-SP3-LTSS (aarch64 ppc64le s390x x86_64):
libjavascriptcoregtk-4_0-18-2.32.1-2.63.3
libjavascriptcoregtk-4_0-18-debuginfo-2.32.1-2.63.3
libwebkit2gtk-4_0-37-2.32.1-2.63.3
libwebkit2gtk-4_0-37-debuginfo-2.32.1-2.63.3
typelib-1_0-JavaScriptCore-4_0-2.32.1-2.63.3
typelib-1_0-WebKit2-4_0-2.32.1-2.63.3
typelib-1_0-WebKit2WebExtension-4_0-2.32.1-2.63.3
webkit2gtk-4_0-injected-bundles-2.32.1-2.63.3
webkit2gtk-4_0-injected-bundles-debuginfo-2.32.1-2.63.3
webkit2gtk3-debugsource-2.32.1-2.63.3
o SUSE Linux Enterprise Server 12-SP3-LTSS (noarch):
libwebkit2gtk3-lang-2.32.1-2.63.3
o SUSE Linux Enterprise Server 12-SP3-BCL (x86_64):
libjavascriptcoregtk-4_0-18-2.32.1-2.63.3
libjavascriptcoregtk-4_0-18-debuginfo-2.32.1-2.63.3
libwebkit2gtk-4_0-37-2.32.1-2.63.3
libwebkit2gtk-4_0-37-debuginfo-2.32.1-2.63.3
typelib-1_0-JavaScriptCore-4_0-2.32.1-2.63.3
typelib-1_0-WebKit2-4_0-2.32.1-2.63.3
webkit2gtk-4_0-injected-bundles-2.32.1-2.63.3
webkit2gtk-4_0-injected-bundles-debuginfo-2.32.1-2.63.3
webkit2gtk3-debugsource-2.32.1-2.63.3
o SUSE Linux Enterprise Server 12-SP2-BCL (noarch):
libwebkit2gtk3-lang-2.32.1-2.63.3
o SUSE Linux Enterprise Server 12-SP2-BCL (x86_64):
libjavascriptcoregtk-4_0-18-2.32.1-2.63.3
libjavascriptcoregtk-4_0-18-debuginfo-2.32.1-2.63.3
libwebkit2gtk-4_0-37-2.32.1-2.63.3
libwebkit2gtk-4_0-37-debuginfo-2.32.1-2.63.3
typelib-1_0-JavaScriptCore-4_0-2.32.1-2.63.3
typelib-1_0-WebKit2-4_0-2.32.1-2.63.3
typelib-1_0-WebKit2WebExtension-4_0-2.32.1-2.63.3
webkit2gtk-4_0-injected-bundles-2.32.1-2.63.3
webkit2gtk-4_0-injected-bundles-debuginfo-2.32.1-2.63.3
webkit2gtk3-debugsource-2.32.1-2.63.3
webkit2gtk3-devel-2.32.1-2.63.3
o HPE Helion Openstack 8 (x86_64):
libjavascriptcoregtk-4_0-18-2.32.1-2.63.3
libjavascriptcoregtk-4_0-18-debuginfo-2.32.1-2.63.3
libwebkit2gtk-4_0-37-2.32.1-2.63.3
libwebkit2gtk-4_0-37-debuginfo-2.32.1-2.63.3
typelib-1_0-JavaScriptCore-4_0-2.32.1-2.63.3
typelib-1_0-WebKit2-4_0-2.32.1-2.63.3
typelib-1_0-WebKit2WebExtension-4_0-2.32.1-2.63.3
webkit2gtk-4_0-injected-bundles-2.32.1-2.63.3
webkit2gtk-4_0-injected-bundles-debuginfo-2.32.1-2.63.3
webkit2gtk3-debugsource-2.32.1-2.63.3
o HPE Helion Openstack 8 (noarch):
libwebkit2gtk3-lang-2.32.1-2.63.3

References:

o https://www.suse.com/security/cve/CVE-2020-13543.html
o https://www.suse.com/security/cve/CVE-2020-13558.html
o https://www.suse.com/security/cve/CVE-2020-13584.html
o https://www.suse.com/security/cve/CVE-2020-27918.html
o https://www.suse.com/security/cve/CVE-2020-29623.html
o https://www.suse.com/security/cve/CVE-2020-9947.html
o https://www.suse.com/security/cve/CVE-2020-9948.html
o https://www.suse.com/security/cve/CVE-2020-9951.html
o https://www.suse.com/security/cve/CVE-2020-9983.html
o https://www.suse.com/security/cve/CVE-2021-1765.html
o https://www.suse.com/security/cve/CVE-2021-1788.html
o https://www.suse.com/security/cve/CVE-2021-1789.html
o https://www.suse.com/security/cve/CVE-2021-1799.html
o https://www.suse.com/security/cve/CVE-2021-1801.html
o https://www.suse.com/security/cve/CVE-2021-1844.html
o https://www.suse.com/security/cve/CVE-2021-1870.html
o https://www.suse.com/security/cve/CVE-2021-1871.html
o https://bugzilla.suse.com/1177087
o https://bugzilla.suse.com/1179122
o https://bugzilla.suse.com/1179451
o https://bugzilla.suse.com/1182286
o https://bugzilla.suse.com/1184155
o https://bugzilla.suse.com/1184262

– ————————–END INCLUDED TEXT——————–

You have received this e-mail bulletin as a result of your organisation’s
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT’s members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation’s
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author’s website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
—–BEGIN PGP SIGNATURE—–
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBYM/8aONLKJtyKPYoAQh1Dw//baIKBfDXFQoR5/82fay0Gi/hbDcNTFY5
kIEDp1sOzsVY8QNgZ56+CeYQUpZOQXKN+r+vD+JkcRN71y2VNp5jbzf22SowrXEJ
J4/OnfUgJac+0JPnSmmAC3WLIHp1ZvWR0uKTPYcBhe0fUrH1yk1Kwb4yTurhKP5H
tdO62XzF8L3jBSI0mMQLqC/yc0QV5DKFnd6+BNrqze8a4luwof0kQDaRHcVUqQ7x
vEiBjfI0UbyQn3nfU8PtOT5H2MO2ezBftTePSXyHXXtXfBOx9l9phNIB0lREvdUU
WlCWOr1kBS8VacGYk07E0p9J2FjyJG8GnY+m0z8sRaImPwskcafoUfezJd2XhjGt
OJzleImkteas8w50t7yz6XhFEL4i6E3uL2vCc/xFuINc5hxSJDB8h6adJlt24Uo4
VE/1SsMHYqc7qkgecaOH9ydoRl/80L9LLyLliaDy8LnpxHBoDj96v7xxn4b8O8bd
GAje1daxPnNrSoqqH8ANhqPWD9WZj+XSF+P0hJkxWutoeRpFf1/LrY2MgtwxzUxx
Z/Uuf4IPKIltBQydky4pJ23AnRq3ky2BsYPZklB3IEeN1lZvCrxvXaxXMYWz1lpM
rtVt16VhvVyh4PtoK+6v4mXhGxjlYW1VS9JiiC/3OxCR11GDSMGg8uFKonVYJSPh
VzRFZPc6d2I=
=JvB4
—–END PGP SIGNATURE—–

Read More

The post ESB-2021.2194 – [SUSE] webkit2gtk3: Multiple vulnerabilities appeared first on Malware Devil.



https://malwaredevil.com/2021/06/21/esb-2021-2194-suse-webkit2gtk3-multiple-vulnerabilities/?utm_source=rss&utm_medium=rss&utm_campaign=esb-2021-2194-suse-webkit2gtk3-multiple-vulnerabilities

No comments:

Post a Comment

Barbary Pirates and Russian Cybercrime

In 1801, the United States had a small Navy. Thomas Jefferson deployed almost half that Navy—three frigates and a schooner—to the Barbary C...